When people consider data protection officers and privacy regulators, they mostly think about foreign agencies who have made headlines with their battles to protect sensitive personal information from misuse or abuse, such as the U.K. Information Commissioner’s Office or France’s Commission nationale de l’informatique et des libertés (CNIL). In January, the CNIL fined Google 50 million euros “in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” And earlier this month, the ICO fined Bounty UK Limited 400,000 pounds because the pregnancy and parenting club “illegally shar[ed] personal information belonging to more than 14 million people.” Last year, the Hong Kong privacy commissioner launched an investigation into “the massive data breach at Cathay Pacific Airways that affected millions of its passengers.”
Although the data protection agencies can be restricted in their efforts in many ways, and there are questions about the adequacy of some of them, it is notable that these countries have a national agency to handle the privacy and security of sensitive personal data. They also have data protection officers at lower levels of government.
In the United States, there is no one information protection agency at the federal level. The responsibility is splintered, and the agencies’ power can be handicapped. Some of the agencies include the Privacy and Civil Liberties Oversight Board, the Department of Homeland Security’s Privacy Office, the Department of Health and Human Services, and the Federal Trade Commission.
The PCLOB was recommended by the 9/11 Commission, and the board was created in 2004 and placed within the White House. In 2008, Congress passed and President Bush signed the “Implementing the 9/11 Commission Recommendations Act of 2007,” which took the Privacy and Civil Liberties Oversight Board out of the White House and established it “as an independent agency within the executive branch.” Although it has been hobbled throughout its history by vacancies, it has released reports on the National Security Agency’s bulk telephone records surveillance program and a Section 702 of FISA surveillance program.
The DHS Privacy Office, created in 2002 under 6 U.S. Code § 142 of the Homeland Security Act, was the first statutorily required privacy office in any federal agency. It is “responsible for evaluating Department programs, systems, and initiatives for potential privacy impacts, and providing mitigation strategies to reduce the privacy impact,” the agency says. It has published Privacy Impact Assessments of agency programs and issues a variety of mandatory reports.
HHS administers the Health Insurance Portability and Accountability Act of 1996, which concerns all forms of protected health data, including written and electronic. It involves data security as well as information privacy.
The FTC’s main privacy regulation authority is powers under Section 5 of the FTC Act, which enable the agency to investigate unfair and deceptive acts in or affecting commerce. In February, Musical.ly, now known as TikTok, agreed to pay $5.7 million to the FTC to settle allegations that it “illegally collected personal information from children.” Currently, the FTC is negotiating a settlement with Facebook over the news that the social media site had allowed outside companies, such as political consultancy Cambridge Analytica, to harvest the personal data of millions of its users.
And Facebook and other technology companies also have received unwanted attention from state and D.C. attorneys general over data privacy. In December, D.C. Attorney General Karl Racine was the first to file a lawsuit against Facebook over the Cambridge Analytica scandal. Google is being sued by the Mississippi Attorney General Jim Hood, who is accusing the company of “collecting personal and search-history information from students in order ‘to advance its own business interests and increase its profit,’ ” and in violation of the state Consumer Protection Act. New Mexico Attorney General Hector Balderas is suing Google, Twitter and others over allegations of violating federal and state laws on children’s privacy.
Attorneys general have a range of responsibilities, which include consumer data protection. But some states are going further and creating the roles of chief privacy officers, or offices with similar responsibilities under different names, such as compliance or privacy program officers. A March report from the National Association of State Chief Information Officers details the growth.
It explains, “States create people’s identities with birth certificates and end legal identities with death certificates. They create drivers’ licenses and hold personal information related to health, education, criminal records, victim records, financial information, and family status.” And, “the explosion of electronic personally identifiable information in the last several years has meant that organizations and governments have had to hire staff to deal with the privacy implications.”
The first state chief privacy officer took the role in 2003 in West Virginia, and now there are 12 states with such officials, NASCIO says. “Of the twelve, four had been in the position for less than a year, two for less than two years and four for less than four years. The other two had held the role for over ten years.”
The power of the officer position varied among the states, but it is heartening to see that states are taking privacy seriously enough that more are beginning to create specific oversight agencies to direct the state response. However, we still need a federal data protection agency with strong investigative, punitive and enforcement powers to keep the sensitive personal data of individuals secure nationwide.